Healthcare is an industry under siege. This statement was true yesterday and was underscored by the massive ransomware attack. Care providers are targeted by cybercriminals with greater frequency than any other organisation. And thanks to old equipment and flagging security standards, these attacks find success far more often than they should.
Security is no longer just about protecting our data — it is about protecting health, safety and well-being. Thousands of innocent patients were affected by the attack, ranging from diverted ambulances to canceled open heart surgeries.
But what is the root of these attacks? Why do they occur with such frequency? And more importantly, what can be done about them?
In 2016, the number of major cyberattacks targeting healthcare organisations increased by 63%. There is every indication that this number will increase even further in 2017. This past March, for example, healthcare organisations saw 155% more breached records than they did the previous year.
From a criminal’s perspective, healthcare records are a golden goose. They contain all the information necessary for medical identity fraud, an extremely lucrative crime. And they sell for up to ten times the price of stolen credit card numbers on the black market.
This is compounded by the fact that healthcare security still lags well behind other industries. It is easier for a criminal to lift medical data from several small clinics than it is to steal money from a bank, for example. Given the potential for a much greater payoff, it is not difficult to see why so many criminals have hospitals and clinics in their crosshairs.
And unfortunately, there is no easy solution to this paradigm.
The heart of healthcare’s cybersecurity woes can be traced to a single cause – the men and women who run healthcare organisations are clinicians, not IT professionals. Though brilliant physicians and businesspeople, they are not security experts. They allot most of their organisational budget towards excellent patient care and medical advances.
Information technology is often an afterthought, even as more and more healthcare data is digitised.
It is why aging outdated legacy infrastructure is so common a sight in hospitals. It is why healthcare IT departments are understaffed, overworked, and under-budgeted. And it is why for hackers, healthcare organisations are an ideal target, the perfect blend of valuable data and poor security.
The entry of connected devices into hospitals and clinics will make things even worse if left unaddressed. Internet of Things medical devices like infusion pumps and cardiac implants frequently contain vulnerabilities with the potential to be life-threatening. As for regulations and security standards, which many providers already have difficulty adhering to, they have failed to evolve as quickly as the threat landscape.
There are many things that need to change about the healthcare industry if we are to better protect patient data. The first and most important, however, is its culture. I am not saying we should deprioritise patient care and medical research in favor of cybersecurity, far from it.
Rather, I am saying that device makers and care providers alike need to stop treating care and security as two separate entities. They are not. Ensuring health data is safe from people who would misuse it, is just as much a part of effective patient care as efficient treatment.
Technology is available to make the theft of healthcare more difficult. Providers can update their IT systems. They can incorporate diligent employee training courses and security guidelines. They can deploy multiple layers of cyber threat protection and secure their networks. If they do not, the WannaCry’s of the world will continue to wreak havoc on the industry by stealing data and ending life.
While the attacks are extremely unfortunate, I hope it serves as a wake-up call to care providers. Protecting patients does not end when they walk out the door. They have an obligation to keep their patient’s information safe, and that starts and ends with security.
While medical care is primary, secure protection of health records is equally important, argues Mark Wilson at BlackBerry.
Key takeaways
- Aging, outdated legacy infrastructure is a common sight in hospitals
- Healthcare woes can be traced to a single cause, men and women who run organisations are clinicians, not IT professionals
- Healthcare IT departments are understaffed, overworked, under-budgeted
- Healthcare organisations are ideal targets, perfect blend of valuable data, poor security
- Healthcare systems do not know they are out of compliance until they get a penalty for a breach
- Information technology is often an afterthought, even as more and more healthcare data is digitised
- Past March, healthcare organisations saw 155% more breached records than previous year
- Protecting patients does not end when they walk out the door
- Security is no longer about protecting data, it is about protecting health, safety, well-being
- They have an obligation to keep patient’s information safe, and that starts and ends with security
Why healthcare lawyers are up at night
The top issue on a healthcare lawyer’s list of concerns is not what you might think. It is not medical malpractice, disgruntled employees, or healthcare regulations. According to Consero Group’s 2017 Healthcare General Counsel Report, the issue keeping lawyers at mid-to large-sized healthcare organisations up at night is data security.
It is practically impossible to control patients and families taking cellphone pictures and texting or posting them on social media. Regardless of the number of policies a hospital implements, it is a challenge to prevent doctors including independent doctors with hospital privileges and other staff members from using personal mobile devices to text or communicate patient information.
The ability to control those personal devices is fairly limited. It has created a situation where most people feel it is inevitable that something bad is going to happen. The Identity Theft Resource Center says in 2016, healthcare industry was responsible for 34.5% of breach incidents and 43.6% of all exposed records, more than any other industry studied.
There is a good chance that the something bad will include a serious financial penalty and a damaged reputation. US healthcare organisations racked up nearly $15 million in fines for HIPAA violations in the first seven months of 2016, with more than a third of it coming from a single settlement.
Adding another layer of complication is how difficult it is to know whether your organisation is in compliance with the law. HIPAA is unnecessarily vague and subject to interpretation, so you often need to hire external counsel to review even the things that you can control, like your network, electronic health record, or applications.
As mentioned above, you cannot control what everyone in the hospital is doing with their smartphones, so they may be accidentally divulging personal health information that puts you at risk anyway.
Most data security oversight is akin to compliance by fines – healthcare systems do not know that they are out of compliance until they get a penalty for a breach. When it is cheaper to pay a fine than it is to fix whatever is non-compliant, data security becomes a business expense and a risk some healthcare systems are willing to take. Whatever the reason, ignoring vulnerabilities until they are discovered is hardly the best way to protect personal, valuable health data.
Like most complex problems, it is going to take a combined effort to strengthen healthcare data security.
Here are some recommendations:
- Any applications they install must be user-friendly, otherwise staff will turn to less-secure shadow IT workarounds
- Device makers must strengthen device security, including regularly patching operating systems and apps against vulnerabilities
- Healthcare systems must secure their networks so they are not vulnerable to hackers
- Healthcare must write security requirements into procurement policies to force device, hardware, software makers to build security into everything they sell
- Healthcare workers must understand how mobile device policies protect personal health information
- Regulators must provide guidelines to make it easier to determine whether an organisation is in compliance with the law and if not how to achieve compliance